Title: GENERAL AUDIT APPROACH IN INFORMATION SYSTEMS
1GENERAL AUDIT APPROACH IN INFORMATION SYSTEMS
2OBJECTIVES
- Understand how controls are evaluated
- Describe various steps and tasks to be followed
to effectively perform an information systems
audit - Identify methods, tools and techniques an auditor
uses in accomplishing the audit objectives
3AUDIT OF CONTROLS
- Audit is an evaluation of adequacy controls
- Security policy and standards
- Verify whether security policy exists
- If exists, study for its adequacy, currency and
procedures for updating - If not exists, mention in the audit report with
suggested contents - A corporate security policy is important to
ensure security awareness through the
organization and enforcement of security
standards -
4AUDIT OF CONTROLS
- Steering Committee
- One member at Board level, Manager of IS, manager
of User departments - Changes to existing systems and procedures
approved by SC - If a committee does not exist, the auditor should
include in report and recommend formation of
committee, specify duties and responsibilities
and highlight the benefits - Business Continuity Planning
- Verify whether organization has well-documented
and updated BCP - Verify its effectiveness and seek evidence of
frequency testing of plan, adequacy, currency and
suggest improvements
5AUDIT OF CONTROLS
- Systems Development Methodology
- Requires strict documentation and procedures
- Lack of documentation, ad hoc changes to
programs, different versions of same program
running in different branches and program
development are inadvisable procedure - Auditor should make a mention of lack of
procedure, highlight impact of such lapses and
suggest remedial measures - Operational Controls
- Verify procedures for physical access to
computerized environment - Observe the entry system to verify effectiveness
of restrictive measures
6AUDIT OF CONTROLS
- Environmental Control
- The working condition of equipments and
maintenance schedule needs to be checked - E.g. temperature control equipment,
air-conditioning, smoke detectors. - Auditor should make comments on this aspect
- Electric supply
- Existence and efficacy of voltage stabilizers
need to be examined - Organizational Control
- Auditor should ask names of employees in IT
department, their responsibilities and duties - Where irregularities are found, auditor should
highlight and suggest corrective actions
7GENERAL APPROACH TO PERFORM AN AUDIT
- Purviewing the environment
- Understand IS
- Identifying audit risks
- Identifying audit evidence
- Identifying key control points
- Identifying control weaknesses
- Verifying veracity of computer files
- Conducting audit tests
- Concluding the audit
8PURVIEWING THE ENVIRONMENT
- Auditor should purview environment for the
following reasons - Understand environment in which application is
being run - Meet data processing and auditee department to
prepare list of personnel - Assess if computer center has the capacity and
capability to run audit software - Improve auditors IT knowledge base learning
experience - Understand scope of audit and decide areas to
concentrate on -
9PURVIEWING THE ENVIRONMENT
- Tasks to perform while purviewing the
environment - Understand audit objectives
- Define the scope
- Conduct initial interview
- Obtain background information
- Understand audit objectives to get clear
perspectives on the objectives - Has the areas been audited?
- When was it last audited and what were the
result? - Reason as to why the area has been chosen for
auditing? - Any apprehension about problem existing in the
area or do problem already exist?
10PURVIEWING THE ENVIRONMENT
- Define the scope four Ts which constrain the
scope of an IT audit - Time auditor need to spend time with personnel
and computer - Talent specialized skills required for an IS
audit - Tools specific audit software tools and
availability of audit staff to utilize them - Travel collection of adequate evidence with
distributed data processing
11PURVIEWING THE ENVIRONMENT
- Conduct initial interview audit team should
meet the personnel of the auditee department and
project team of the IT department - Senior official should also actively associated
to ensure that IT and auditee department
cooperate with audit team
12PURVIEWING THE ENVIRONMENT
- Obtain background information essential
information to acquire proper perspective on
audit objectives through - Previous work papers
- Interviews obtain information about
organization (organizational chart, write up
about IS to be audited, internal/external audit
report) - obtain information from IT department
(organizational chart, policies, procedures,
standards, detailed list of all hardware and
operating system)
13UNDERSTANDING INFORMATION SYSTEMS
- It is important to
- Understand the terminology and technical jargon
- Familiarize himself with the necessary computer
concepts - Gather all possible documentation and understand
the same - Auditor should not get lost in technical details
density of floppy, speed of the processor etc. - Concentrate on IS objectives, understand flow of
data, and identify audit evidence
14UNDERSTANDING INFORMATION SYSTEMS
- Steps involve to understand the information
systems are - Discussion with staff regarding IS and collection
of relevant documents - Develop an application flow chart
- Verify application flow chart with concerned
project team in IT department
15UNDERSTANDING INFORMATION SYSTEMS
- Discussion with the staff auditee department
and project team in IT department to be met to
collect necessary documents - Documentation from auditee dep. explain
non-technical terms what the IS is expected to
achieve - Documentation from IT dep. provide details as
to how exactly system functions - An auditor should
- Perform input transaction walk through (list
different types of transactions) - Perform systems walk through (understanding of
computer systems with its different programs)
16UNDERSTANDING INFORMATION SYSTEMS
- Peruse the documentation (details of functioning
of the system, IS objectives and other necessary
details for the auditor to understand system) - Preparation of an application flow chart makes
use of symbols and provides an easy-to-follow
pictorial representation of processing flow - Auditors should prepare the flow charts
themselves - Verification of application flow chart verify
accuracy and completeness of flow chart prepared
by the auditor to the IT project team - Ensure that auditor has correctly understood
details of IS
17IDENTIFYING AUDIT RISKS
- Auditor should evaluate all risks physical
threats(fire, flood, earthquake, storm,etc) and
others(human errors, omissions, etc) - Steps involve
- Identify risks - Auditor should be familiar with
application as also IT environment in which
applications have been developed - Determine magnitude of risks and prioritize them
evaluate risks and prioritize them to their
magnitude - Study the controls for their adequacy
18IDENTIFYING AUDIT RISKS
- Commonly associated risks in an IT environment
- Unreasonable processing wrong value entered in
computer system - Repetition of errors single error in data is
sufficient to produce large volume of error - Cascading of error initial error gives rise to
another error and so on - Incorrect entry of data data which is properly
authorized could be entered incorrectly e.g.
on-line system - Concentration of responsibilities in one area
distributed responsibility for implementing
control among many persons, would highlight any
failure
19IDENTIFYING AUDIT EVIDENCE
- Evidence is needed to support input, processing
and output - Clear understanding of the evidence and its
identification forms the foundation for
conducting an effective audit - Different types of electronic evidence
- Computer transactions
- Source code of program
- Processing logs
- System documentation
- Program documentation
- User documentation
- Error messages
20IDENTIFYING AUDIT EVIDENCE
- Steps involve to identify evidence
- Prepare an exhaustive list of all evidence
produced by system prepare data flow diagram
that records evidence internal to IS - Evidence external to system can be obtained from
users/system analyst/programmers/security officer
- Documenting audit evidence auditor should know
the following - Medium data contained in hard disc, floppy or
tape - Format data is stored in different
ways(serially, consequentially, etc) - DBMS data in independent of applications
- Backup period period of preservation of data
- Frequency of creation familiar with frequency
of creation of file - Composition of data on the file gather
information regarding records, formats and layouts
21IDENTIFYING KEY CONTROL POINTS
- Auditor need to concentrate on risks of higher
magnitude and the key controls - Key control points are points in system where
risk is the greatest and controls most important - Methodology to assess the weaknesses in control
points - Check List or Questionnaire
- Matrix
- Control flow chart
22IDENTIFYING KEY CONTROL POINTS
- Questionnaire should be tailored to the
customers need - Check list provide an exhaustive list of items
- Disadvantage
- Difficult to understand unless auditor is
computer literate - Compensating controls ignored
- Matrix is prepared with list of probable
weaknesses on one side of the matrix and controls
to strengthen the weaknesses on the other
23IDENTIFYING KEY CONTROL POINTS
- Data flow diagram is a graphic presentation of
the transaction flow is prepared - Locating risk on DFD anticipate type of risk
and envisage control that need to be built in - Document the key control on DFD flow charts
should be prepared and documented
24IDENTIFYING CONTROL WEAKNESSES
- Auditor need to assess areas where probability of
error is high - Steps are taken to concentrate on this area to
strengthen probable weakness - Control weaknesses are determined by an auditor
utilizing his power of judgement - Common adopted methodology of identification of
control weakness are - Control flow chart
- Conflict matrix
- Transactions/control matrix
25IDENTIFYING CONTROL WEAKNESSES
- Control flow charting is a good technique for
identifying risks and key controls - Conflict matrix is a method of identifying a
conflict of interests. Includes the following - Identifying people
- Identifying conflict actions
- Completing the matrix
26IDENTIFYING CONTROL WEAKNESSES
- Transaction/control matrix is concerned with
those transaction which make an economic
commitment to the organization - Result in inflow or outflow of cash
- Process of control assessment consists of
- Identifying risks study of DFD should identify
risks - Assessing magnitude of risk estimate risks in
terms of absolute figures - Assessing strength of controls identify control
and estimate their effectiveness - Document identified control weaknesses by
assessing control weaknesses, evaluating
magnitude of risk, assessing cost of control and
performing audit tests
27VERIFYING VERACITY OF COMPUTER FILES
- Information on files for conducting audit must be
complete and accurate - Tasks to be performed by the auditor to verify
veracity of files are - Decide on the files to be examined files
selected are those which are needed to test
weaknesses areas identified - Save computer files required files are
available on time for audit by making copy of
appropriate master file - Verify integrity of computer files and data by
comparing totals of specific fields of records
with predetermined totals - Ensure that files contain all data he wants
28CONDUCTING AUDIT TESTS
- Test some transactions on computer file using
different tools and techniques to perform - Computations add, subtract, multiply, divide
- Compare two fields
- Sort data in a required manner
- Summarize and total data
- Select data from a file based on a predetermined
basis - Before performing a test, auditor should
complete - Clearly deciding what is expected form audit test
- Once the decision is taken on what to test,
determine how to accomplish it
29CONDUCTING AUDIT TESTS
- Steps followed to perform an audit test
- Design a test decide about computer file and
other electronic evidence, statement of test
objective, identification of information other
than computer file - Select the tool audit tool may be special
purpose or general purpose - Test the tool test audit software program and
familiarize with usage of the tool - Execute and use test result live production
data should be used in the place of test data
30CONCLUDING THE AUDIT
- Conclude the original objectives, determine the
audit findings and present recommendations - Highlight weaknesses detected during audit,
causes, magnitude of impact of weaknesses and
corrective actions - Tasks involve in concluding audit
- Develop findings examines condition and notes
down significant variation - Should be factual and discovered by auditor
- Based on standards or guidelines against
conditions evaluated - Effect, impact and significance of the variance
-
31CONCLUDING THE AUDIT
- Develop audit recommendation carefully if it is
useful and feasible - Thoroughly understand existing system
- Clearly state audit findings
- Consider different alternatives considering cost
benefits for each solutions - Write audit report
- Executive summary highlighting salient features
- Explicit recommendation highlighting impact of
weaknesses and action to be taken - Technical jargons avoided